Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Still having some issues

mckryan

Posted 12 August 2008 - 12:37 PM

mckryan

Member

Member

29 posts

I got help here a couple of weeks ago, but I am still having issues. On boot-up, I get a COM Surrogate and ehRec.exe (2 times) error. My Malwarebytes scan didn't show any infections, but I'm doing an Kaspersky online scan that is showing infection. Here are some logs to get started:

Advertisements

SpySentinel

Posted 15 August 2008 - 04:40 PM

SpySentinel

R.I.P.

Retired Staff

5,152 posts

Hey mckryan,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up.

I'm currently analyzing your log now, and I'll post back with a fix ASAP. Thanks for your patience.

Check some important areas of your system and produce a report for an analyst to review.

Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

Close all applications and windows.

Double-click on dss.exe to run it and follow the prompts.

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

When the scan is complete, two text files will open in Notepad:

main.txt <-- Will be maximized

extra.txt <-- Will be minimized

If not, they both can be found in the C:\Deckard\System Scanner folder.

Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

mckryan

Posted 17 August 2008 - 10:11 AM

mckryan

Member

Topic Starter

Member

29 posts

Okay, something odd is going on for sure. I downloaded Deckards and closed everything before running it. No restore point was created, no temp files were deleted, and the recycle bin was not emptied, etc. I also received no prompts. It also only created one file for me - main.txt. I've looked in the logs, and there is no extra.txt. Here is the main.txt. Let me know what I should do since you are missing a text file.

__________________

Deckard's System Scanner v20071014.68Run by HP_Administrator on 2008-08-17 12:09:34Computer is in Normal Mode.--------------------------------------------------------------------------------

Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

click on Start, click on Run copy and paste the following in bold in the open window and then click OK"%userprofile%\desktop\dss.exe" /configThis will open up DSS configurationclick on Check Allclick ScanDSS will now run again when finishedPlease post back both logs that open in notepadMain txt and extra txt

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08172008_182649

Files moved on Reboot...File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla1FE0.tmp not found!File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla22DC.tmp not found!File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla2511.tmp not found!File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla2533.tmp not found!C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log moved successfully.C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFF89.tmp moved successfully.File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFFBF8.tmp not found!

Event Record #/Type9908 / ErrorEvent Submitted/Written: 08/17/2008 06:35:47 PMEvent ID/Source: 4786 / COM+Event Description:The system has called a custom component and that component has failed and generated an exception. This indicates a problem with the custom component. Notify the developer of this component that a failure has occurred and provide them with the information below. Component Prog ID: Server Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235}Server Application Instance ID:{E60B0542-F2DE-4894-B2CA-AEFF3C025CF0}Server Application Name: System ApplicationException: C0000005Address: 0x7669413B

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad<=IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Google Toolbar<=Get the free google toolbar to help stop pop up windows.

Advertisements

mckryan

Posted 20 August 2008 - 02:33 PM

mckryan

Member

Topic Starter

Member

29 posts

I wanted to see what MalwareBytes came up with and here is the log. Is Registry Defender the issue here? It didn't show up in the last MalwareBytes scan, but I didn't do a full scan that time, just the quick one.